flat assembler
Message board for the users of flat assembler.

Index > Windows > why the simple program takes more than 3 MB of RAM?

Author
Thread Post new topic Reply to topic
KIRK



Joined: 05 Dec 2007
Posts: 20
Location: Russia
KIRK 20 Dec 2007, 21:15
Code:
format PE GUI 4.0
include 'win32ax.inc'
start:
.code
   invoke MessageBox,0,0,0,0
   invoke ExitProcess,0
.end start    

compiled to 1,5 kbytes

or http://board.flatassembler.net/topic.php?p=45385#45385 MessageBox example compiled to 680 bytes

I run program, press Alt+Ctrl+Del and see that it takes 3520 KBytes!
Why so much?
Post 20 Dec 2007, 21:15
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 20 Dec 2007, 22:26
Maybe it's just the size of the page. Don't forget the 1 mb of stack space allocated for each thread (I think that's right). well, disasm it and start counting!! It's probably just paging, stack space, or something like that. I had a program once that didn't use 'include' , just did some other dll loading. I disasm'ed it, and it turned out to be hundreds upon hundreds of lines of the code from random windows functions and stuff. Maybe that happened in yours?? If you haven't done it before, use OllyDbg
Post 20 Dec 2007, 22:26
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 20 Dec 2007, 22:40
use SysInternals process explorer for more detailed information
Post 20 Dec 2007, 22:40
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 20 Dec 2007, 22:44
hmmm... Vid, check out the other post about this person trying to take over the Windows command prompt's output buffer with a pipe. Very interesting, I hope you can give him an explanation of how you can't do it. I suggested a "timing attack on the cmd process" for the moment when it relinquishes it's window. I totally made that up, but is it really possible to make a loop that will attack a program using AttachConsole for the exact moment it exits? That would be volatile lol...
Post 20 Dec 2007, 22:44
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 20 Dec 2007, 23:47
KIRK: as vid recommended, get Process Explorer to get more detailed memory usage staticstics - what you should be most interested in is "Private Bytes" memory usage.

The memory size explorer shows will never really go below 2-3MB, since it includes the DLLs your process uses, and most of that memory is shared among all processes that's running on the system.
Post 20 Dec 2007, 23:47
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 21 Dec 2007, 00:40
True, and those dll's may be very large, KERNEL32 I think is default for all apps, either that or NTDLL also. Combine that with stack space, align to page*? and other things it will only go down to around there. Still kind of funny though Smile
Post 21 Dec 2007, 00:40
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 21 Dec 2007, 00:44
You'll always end up including KERNEL32.DLL in your apps - XP forces it's inclusion, Win2k fails silently if you don't end up importing from it (ie., it's good enough to have a single import from, say, GDI32.DLL since GDI32 imports from KERNEL32), because of the way app loading happens (your proces doesn't start initial executing from peheader.entrypoint, but from kernel32.some_deep_function).

KERNEL32 in turn depends on NTDLL.
Post 21 Dec 2007, 00:44
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4047
Location: vpcmpistri
bitRAKE 21 Dec 2007, 02:49
Ah, that's nothing - here is a real memory hog:


Description: Just a quick hack to grab a large block of memory.
Download
Filename: mem-hog.asm
Filesize: 2.76 KB
Downloaded: 267 Time(s)



Last edited by bitRAKE on 21 Dec 2007, 08:23; edited 1 time in total
Post 21 Dec 2007, 02:49
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 21 Dec 2007, 08:00
real available amount of memory to process - min (avail phys. memory; avail virt. mem) but with one remark - you will commit page by page size of total needed to be allocated memory - the cause is Virtual memory fragmentation.
I haven't seen ever that one (32 bit) program could take more than 1.6-1.7 GiB without some special manipulation - e.g. large_address_aware and boot.ini /3gb
Post 21 Dec 2007, 08:00
View user's profile Send private message Reply with quote
KIRK



Joined: 05 Dec 2007
Posts: 20
Location: Russia
KIRK 21 Dec 2007, 12:36
and what you see?


Description:
Filesize: 143.41 KB
Viewed: 6697 Time(s)

screnn_process_explorer.JPG


Post 21 Dec 2007, 12:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Dec 2007, 12:50
Yep, you got stacks, PID's, TID's, DLL info tables, lots of other information things that Windows likes to use.
Post 21 Dec 2007, 12:50
View user's profile Send private message Visit poster's website Reply with quote
KIRK



Joined: 05 Dec 2007
Posts: 20
Location: Russia
KIRK 21 Dec 2007, 13:01
RBTray takes only 272 KB,
why such difference?
Post 21 Dec 2007, 13:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Dec 2007, 13:12
You wanted to include MessageBox so that means you get user32 and gdi32 mapped into you process. Background processes may not have used any GUI functions so accordingly have less mapped DLL's.
Post 21 Dec 2007, 13:12
View user's profile Send private message Visit poster's website Reply with quote
KIRK



Joined: 05 Dec 2007
Posts: 20
Location: Russia
KIRK 21 Dec 2007, 13:22
thanks:)
Post 21 Dec 2007, 13:22
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 21 Dec 2007, 15:26
KIRK wrote:
RBTray takes only 272 KB,
why such difference?


you need to look at PRIVATE BYTES, not WORKING SET. And do yourself a favor, open perfmon.msc and see the description of the process/memory counters.

Working set becomes small when you don't have any visible windows and sit in the background. If you worry too much about these things you can use SetProcessWorkingSetSize(hpro,-1,-1);, but it's a silly hack since windows will trim the working set as necessary.

_________________
Image - carpe noctem
Post 21 Dec 2007, 15:26
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.